// ========================================================================
// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
// The Eclipse Public License is available at 
// http://www.eclipse.org/legal/epl-v10.html
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
// You may elect to redistribute this code under either of these licenses. 
// ========================================================================

package org.eclipse.jetty.security.authentication;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;

import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionActivationListener;
import javax.servlet.http.HttpSessionBindingEvent;
import javax.servlet.http.HttpSessionBindingListener;
import javax.servlet.http.HttpSessionEvent;

import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.UserIdentity.Scope;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;

public class SessionAuthentication implements Authentication.User, Serializable, HttpSessionActivationListener, HttpSessionBindingListener
{

	private static final Logger LOG = Log.getLogger(SessionAuthentication.class);

	private static final long serialVersionUID = -4643200685888258706L;

	public final static String __J_AUTHENTICATED = "org.eclipse.jetty.security.UserIdentity";

	private final String _method;
	private final String _name;
	private final Object _credentials;

	private transient UserIdentity _userIdentity;
	private transient HttpSession _session;

	public SessionAuthentication(String method, UserIdentity userIdentity, Object credentials)
	{
		_method = method;
		_userIdentity = userIdentity;
		_name = _userIdentity.getUserPrincipal().getName();
		_credentials = credentials;
	}

	public String getAuthMethod()
	{
		return _method;
	}

	public UserIdentity getUserIdentity()
	{
		return _userIdentity;
	}

	public boolean isUserInRole(Scope scope, String role)
	{
		return _userIdentity.isUserInRole(role, scope);
	}

	private void readObject(ObjectInputStream stream)
		throws IOException, ClassNotFoundException
	{
		stream.defaultReadObject();

		SecurityHandler security = SecurityHandler.getCurrentSecurityHandler();
		if (security == null)
			throw new IllegalStateException("!SecurityHandler");
		LoginService login_service = security.getLoginService();
		if (login_service == null)
			throw new IllegalStateException("!LoginService");

		_userIdentity = login_service.login(_name, _credentials);
		LOG.debug("Deserialized and relogged in {}", this);
	}

	public void logout()
	{
		if (_session != null && _session.getAttribute(__J_AUTHENTICATED) != null)
			_session.removeAttribute(__J_AUTHENTICATED);
		else
			doLogout();
	}

	private void doLogout()
	{
		SecurityHandler security = SecurityHandler.getCurrentSecurityHandler();
		if (security != null)
			security.logout(this);
		if (_session != null)
			_session.removeAttribute(LoginAuthenticator.SESSION_SECURED);
	}

	@Override
	public String toString()
	{
		return "Session" + super.toString();
	}

	public void sessionWillPassivate(HttpSessionEvent se)
	{}

	public void sessionDidActivate(HttpSessionEvent se)
	{
		if (_session == null)
			_session = se.getSession();
	}

	public void valueBound(HttpSessionBindingEvent event)
	{}

	public void valueUnbound(HttpSessionBindingEvent event)
	{
		doLogout();
	}

}